Linux: Recovering Deleted /etc/shadow Password File

You may delete a file called /etc/shadow. If you try to boot into a single user mode, system will ask for the maintenance root password. Now imagine this, you do not have a backup of /etc/shadow file. How do you fix such problem in a production environment where time is a critical factor? I will explain how to recover a deleted /etc/shadow file in five easy steps.

It all started when one of our client accidentally deleted a file called /etc/shadow from co-located Debian Linux server. As a result, all account login (sftp/ssh) got disabled. However, ftp was working fine because proftpd was build using MySQL database.

#1: Boot server into a single user mode

First, reboot the server.

When you see grub-boot loader screen. Select Recovery mode version of the kernel that you wish to boot and type e for edit. Select the line that starts with kernel and type e to edit the line.

Go to the end of the line and type init=/bin/bash as a separate one word (press the spacebar and then type init=/bin/bash). Press enter key to exit edit mode.init=/bin/bash

At the GRUB screen, type b to boot into a single user mode. This causes the system to boot the kernel and run /bin/bash instead of its standard init. This allowed us to gain root privileges and a root shell.

Step #2: Make sure you can access the system partition

By default / file system will be mounted in a read-only mode and many disk partitions have not been mounted yet, you must do the following to have a reasonably functioning system. To mount partitions in read write mode, enter:# mount -rw -o remount / Note: Do not forget to (re)mount your rest of all your partitions in read/write (rw) mode such as /usr, /var, /home, /tmp etc.

Step #3: Rebuild /etc/shadow file from /etc/passwd

You need to use the pwconv command. It creates /etc/shadow from /etc/passwd and an optionally existing shadow.# pwconv

Next, use the passwd command to set a new root user account password, enter:# passwd You need to type the same password twice. If you have an admin account, then setup password for that account too. On most production servers direct root login is disabled. In our situation, admin was the only account allowed to use su and sudo command:# passwd admin

Finally, reboot the system, enter:# sync # reboot

Step # 4 Block all non-root login

Block all non-root (normal) users until you fix all password related problems. Since rest of account do not have any password, it is necessary to prevent non-root users from logging into the system. You need to create a file called /etc/nologin. It will allow access only to root. Other users will be shown the contents of this file and their logins will denied or refused.

1) Login as root user (terminal login only)

2) Create a file called /etc/nologin enter:cat > /etc/nologin System is down due to temporary problem. We will restore your access within 30 minutes time. If you have any questions please contact tech support at XXX-XXXX-ZZZZ or ts@it.example.com

Tip: Update all users password in a batch mode

Create a random password for each non-root user using chpasswd utility. It update passwords in batch mode. The chpasswd command reads a list of user name and password pairs from file and uses this information to update a group of existing users. Each line has the following format:

user_name:password

Remember by default the supplied password must be in clear-text format. This command is intended to be used in a large system environment where many accounts are created at a single time or in an emergency situation. First, you need to find out all non-root accounts using the awk command:awk -F: '{ if ( $3 >1000 ) print $1}' /etc/passwd > /root/tmp.pass

Make sure /root/tmp.pass file contains non-root usernames only.

Next, create a random password with pwgen command: By default, pwgen utility is not installed so you can install it with the help of apt-get or yum command, enter:# apt-get install pwgen OR# yum -y install pwgen The pwgen program generates passwords which are designed to be easily memorized by humans, while being as secure as possible. For example, the following command print the generated password:# pwgen -1 -n 8 Sample outputs:

Another, option is PhotoRec software. It is file data recovery software designed to recover lost files including video, documents and archives from hard disks, CD-ROMs, and lost pictures from digital camera memory. PhotoRec ignores the file system and goes after the underlying data, so it will still work even if your media’s file system has been severely damaged or reformatted. PhotoRec is free – this open source multi-platform application is distributed under GNU General Public License (GPLV v2+). PhotoRec is a companion program to TestDisk, an app for recovering lost partitions on a wide variety of file systems and making non-bootable disks bootable again.

What I would do instead of generating all new passwords is simply restore /etc/shadow from the nightly backup tape. This procedure would be good if you aren’t doing backups, but if you aren’t, shame on you!

I’m aware of OpenLDAP and other directory authentication services. On the other hand they are good for big setup (more than 3-4 servers). This was customers managed single server. Therefore, I cannot go and suggest them ;) thanks for your suggestion.

>Alejandro said… >You’re regenerating /etc/shadow, not recovering it from a delete. You don’t (becuase you can’t) recover user passwords. And, just as a question, which is the probability of losing only /etc/shadow and not your whole disk?

Yup it is regenerating or it creates /etc/shadow from /etc/passwd and an optionally existing shadow. As I said earlier, file deleted by mistake.

>And a question 2: if a user as root deleted /etc/shadow, which is the probability that he do dd if=/dev/zero of=/dev/sda??

I am sorry but I am not getting your point here. Sure root can run dd and destroy entire disk. That is what I said at the bottom, â€œI guess it explains the important of regular backup of both data and key files.â€. Since this server was 3rd party hosted in our IDC. It is not managed by us. Customer itself managing the server and they did not have a backup copy of /etc/shadow file; all they got was backup of mysql and ftp server. Moreover, ftpserver was working fine because proftpd was build using MySQL database for authentication and quota management. Therefore, I had to restore /etc/shadow file :)

If the file /etc/shadow is deleted, but the computer is still running and you still have root access, it might be possible to regenerate it from memory similar to the following approach: cat /proc/kcore | strings | egrep "^([^:]*:){8}[^:]*$" > /tmp/kcore-dump

Now you have a file which might include the contents of the deleted /etc/shadow. Now you have to take a text editor and extract the correct lines. Special care has to be taken because the contents might be incomplete or even wrong.

Hi, erery1: I followed to step 3, and then I touch a file named shadow in /etc, then edit it as follow: root::12823:0:99999:7::: does it mean that everyone can modify the password of root and get the privildge?

Hey, this is a restore of the file. I wont edit about 200 Users. So you can boot from a rescue cd or something else and just do a ->grep -b -A 200 “^root:” /dev/sda1 >mytmpshadow<- (I hope i didn't mistyped anything). This will scan your HDD (in my case /dev/sda1) like a textfile (where it is possible) and find ^root: and all 200 following lines. After this you just have to edit the file "mythmshadow" a litle bit with vi…

Dude, you have no idea how much you just helped me and potentially thousands of other Raspberry Pi users. Because of your tips I now have RedSleeve Linux running on my Pi. If you lived near me I would definitely buy you a beer or three. :) Thanks again, bro.